IPSec tunnel and policy NAT question

Hello All!
I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
Here is the configuration
Remote end  crypto interesting ACL:
ip access-list extended crypto-interesting-remote
permit ip host 192.168.1.10 host 10.0.0.10
My end configuration:
interface GigabitEthernet0/0
ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN
ip access-list extended crypto-interesting-local
permit ip host 10.0.0.10 host 192.168.1.10
interface GigabitEthernet0/3
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
speed auto
ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
Any response highly appreciated!
Thanks!

Figured that out.
The problem was in route
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
should be next-hop IP address instead of interface gigabitethernet0/0
Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

Similar Messages

  • IPSec Tunnel and Making Changes While Up

    My main MPLS circuit is down and i have two IPSec tunnels up to my remote sites.
    Everything is routing fine but i wanted to add a sub net to my NAT and Tunnels.
    Can i add a new subnet to my local network/remote network and save/apply without killing or reseting my active IPSec tunnels?                  

    Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.
    But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.
    HTH
    Rick

  • ASA IPsec Remote Access VPN | NAT Question

    We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet.  I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
    Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
    We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
    I played around with some NAT rules and feel that I am missing something  I am looking for suggestions, please.
    Thank you.

    Hi,
    This depends on your ASA firewalls software version and partly on its current NAT configurations.
    I presume the following
    Interfaces "inside" and "outside"
    VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
    Software 8.2 and below
    access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
    access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
    static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
    Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
    This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
    Software 8.3 and above
    object network LAN
    subnet 10.0.0.0 255.255.255.0
    object network LAN-VPN
    subnet 192.168.10.0 255.255.255.0
    object-group network VPN-POOL
    subnet 10.10.100.0 255.255.255.0
    nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
    In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
    In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed
    - Jouni

  • IPSEC tunnel and Routing protocols Support

    Hi Everyone,
    I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
    Does it mean that If Site A  has to reach Site B over WAN  link we should use Static IP on Site A and Site B  Router?
    In  my home Lab i config Site to Site IPSES  VPN  and they are working fine  using OSPF  does this mean that IPSEC supports Routing Protocol?
    IF someone can explain me this please?
    OSPF  config A side
    router ospf 1
    router-id 3.4.4.4
    log-adjacency-changes
    area 10 virtual-link 10.4.4.1
    passive-interface Vlan10
    passive-interface Vlan20
    network 3.4.4.4 0.0.0.0 area 0
    network 192.168.4.0 0.0.0.255 area 10
    network 192.168.5.0 0.0.0.255 area 0
    network 192.168.10.0 0.0.0.255 area 0
    network 192.168.20.0 0.0.0.255 area 0
    network 192.168.30.0 0.0.0.255 area 0
    network 192.168.98.0 0.0.0.255 area 0
    network 192.168.99.0 0.0.0.255 area 0
    3550SMIA#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.168.5.3 to network 0.0.0.0
    O    192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
         100.0.0.0/32 is subnetted, 1 subnets
    O       100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
         3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    O       3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    C       3.4.4.0/24 is directly connected, Loopback0
    C    192.168.30.0/24 is directly connected, Vlan30
         64.0.0.0/32 is subnetted, 1 subnets
    O E2    64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
         4.0.0.0/32 is subnetted, 1 subnets
    O       4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    C    192.168.10.0/24 is directly connected, Vlan10
         172.31.0.0/24 is subnetted, 4 subnets
    O E2    172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
    C    192.168.99.0/24 is directly connected, FastEthernet0/8
    C    192.168.20.0/24 is directly connected, Vlan20
         192.168.5.0/31 is subnetted, 1 subnets
    C       192.168.5.2 is directly connected, FastEthernet0/11
    C    10.0.0.0/8 is directly connected, Tunnel0
         192.168.6.0/31 is subnetted, 1 subnets
    O       192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
    O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
    B Side Config
    Side A
    router ospf 1
    log-adjacency-changes
    network 192.168.97.0 0.0.0.255 area 0
    network 192.168.98.0 0.0.0.255 area 0
    network 192.168.99.0 0.0.0.255 area 0
    1811w#  sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.168.99.2 to network 0.0.0.0
    O    192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
         100.0.0.0/32 is subnetted, 1 subnets
    O       100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
         3.0.0.0/32 is subnetted, 2 subnets
    O       3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O       3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         64.0.0.0/32 is subnetted, 1 subnets
    O E2    64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
         4.0.0.0/32 is subnetted, 1 subnets
    O       4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         172.31.0.0/24 is subnetted, 4 subnets
    O E2    172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
    C    192.168.98.0/24 is directly connected, BVI98
    C    192.168.99.0/24 is directly connected, FastEthernet0
    O    192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         192.168.5.0/31 is subnetted, 1 subnets
    O       192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         192.168.6.0/31 is subnetted, 1 subnets
    O       192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
    O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
    Thanks
    Mahesh

    Hello,
    I'm saying crypto maps have a lot of limitations. Tunnel Protection make way more sense
    U can configure in 2 ways [ and multicast WILL work over it]
    1- GRE over IPSEC
    crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
    mode transport
    crypto ipsec profile tp
    set transform-set aes
    int tu1
    ip address 255.255.255.252
    tunnel source
    tunnel destination
    tunne protection ipsec profile tp
    We have configured mode transport because we encrypt GRE + what ever we encapsule in GRE [ eg OSPF - telnet - http ]
    Pros:
    We can as well transport IPV6 or CDP
    Cons:
    4 bytes of overhead due to GRE
    2- IP over IPSEC
    crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
    mode tunnel
    crypto ipsec profile tp
    set transform-set aes
    int tu1
    ip address 255.255.255.252
    tunnel source
    tunnel destination
    tunnel mode ipsec ipv4
    tunne protection ipsec profile tp
    This config is in fact closer from a crypto map [ from encapsulation standpoint]. The transform-set then NEED to be in tunnel-mode
    Pro:
    4 bytes overhead less than GRE over IPSEC
    Cons:
    Cannot transport CDP or MPLS or IPV6. Very limiting IMHO
    Cheers
    Olivier

  • Cisco Nexus 5ks EIGRP and Policy routing question.

    We just got installed a METRO LINK between our primary and secondary data center (Site-A <> Site-B) I would like to be able to route data replication between these two sites over that link, instead of going over MPLS.  We run EIGRP internally and BGP to the MPLS (typical scenario)
    At first I thought about doing ‘Policy Based Routing’ with IP SLA to be able to track and route traffic coming from the 10.10.10.0/24 bound to 10.11.11.0/24 and track link state with IP SLA in case the metro link would go down;  data replication would continue to flow over MPLS.
    In researching this, I found out that Cisco NX-5ks and 6Ks don’t support IP SLA and there is no telling if they will support it any time in future releases either.
    I haven’t turned on routing (EIGRP)  between the two 5ks over the metro link yet. 
    Also, I don’t want to statically route replication traffic over the link unless I have to. It would have to  be a manual change in case I need to re-route it over the MPLS.
    See attached drawing
    Any help would be greatly appreciated.
    Marramix01 

    can you calculate the metrics of the two different links for EIGRP? 
    Once you have that you would know which one EIGRP would say is the best path. Then if the MPLS link is not the primary path then you can use Offset-list to force the traffic to and from subnets and still have failover with EIGRP. 
    I hope I understood your problem correctly. 

  • NAT of overlapping network through IPSEC tunnel

    I am having a NAT problem constructing a router to PIX tunnel (12.4-15T3 to 7.2). I need to both NAT overload through the outside interface for all internet traffic and NAT to a private network for traffic that will flow through an IPSEC tunnel.
    Because there is network overlap between sites I have added a NAT on the router as follows:
    1) A NAT pool of 254 172.17.20.x addresses.
    2) An access list permiting traffic to the hosts on the other side of the tunnel.
    3) A NAT source statement using the above ACL and pool.
    The IPSEC configuration then includes the 172.17.20.x addresses in the tunnel specification. The tunnel pegs up correctly under this config, traffic originating behind the router is NATd to 172.17.20.x if and only if the traffic matches the access list.
    However, once a host has created a 172.17.20.x NAT translation, the normal overload NAT out to the internet no longer works. Even if the second traffic destination does not match the access-list created for the 172.17.20.x NAT statement, the existing translation slot is used. Since 172.17.20.x is not valid on the internet, this has a negative effect on the staff in this location :-/
    Both NATing to the internet (using overload PAT on the outside IP address) and NATing for the tunnel (using the list of 172.17.20.x address) are necessary. What am I missing?

    Refer to PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

  • Double Natting Question

    We just moved into a new place and shaw provides a wireless router for the broadband 50 connection no intstead of just a standalone bridge for the cable modem now.
    2 devices are
    Airport Extreme
    Cisco - DPC3825
    I was just upgrarding firmware and I get this message.
    Problem 1/1 - Double Nat
    Screenshot attached of error
    So I am wondering if I should put this in bridge mode so or in second option. Or should I configure cisco router in bridge mode and change this? Just wondering if anyone had any real life expereince with these.
    Also I work from home and I use an aruba remote ap (RAP2) It creates an ipsec tunnel and connects back to our controller in California. Before we moved I had this connected into my airport extreme that was connected directly to the motorola cable modem.
    Appreciate the help on this.

    You should definitely configure the AirPort Exteme in Bridge Mode since you already have another router "upstream" on your network.
    If you select the "Share a single IP address setting", you will have two devices....both trying to act as routers distributing IP addresses and handling NAT services.
    That....is a virtual guarantee that you will have multiple conflicts on the network.

  • IPSec Tunnel (reform) examples

    Would it be possible to use Solaris 10u4 new IPSec tunnel (reform) feature to build Solaris VPN server, where I have a list of remote systems (each with different dynamic IP) and Solaris server which allows them to connect to internal network ?
    Thanks.

    This link ( http://docs.sun.com/app/docs/doc/816-4554/6maoq0228?a=view ) has an overview of how IPsec Tunnel Mode policy works with a VPN. You should examine these for more examples.
    A simple single-node remote access case would look like the following.
    Assume:
    C == client's external-network IP address
    S == server's external-network IP address
    c == client's internal IP address
    s == server's internal-network IP address
    On the server side:
    Configure (but do not enable) an IP-in-IP tunnel once you've assigned the client's IP address (assume there are no other tunnels for now...):
    ifconfig ip.tun0 plumb s c tsrc S tdst C
    Now add policy for that tunnel, enabling JUST the single internal IP address for the client to go through. Add this line via ipsecconf(1M), let's use AES and HMAC-SHA-1
    # When the "tunnel" keyword is present, inner-addresses are the selectors.
    {tunnel ip.tun0 negotiate tunnel raddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
    Then bring the tunnel up:
    ifconfig ip.tun0 up
    I assume you have IKE properly configured between S and C.
    On the client side, it's pretty much the same but with local/remote or src/dst reversed:
    ifconfig ip.tun0 plumb c s tsrc C tdst S
    then feed this into ipsecconf(1M):
    { tunnel ip.tun0 negotiate tunnel laddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
    and finally:
    ifconfig ip.tun0 up.
    The docs pointer shows office-to-office examples where you may wish to protect one or more subnets.
    Hope this helps,
    Dan
    Edited by: danmcd on Sep 18, 2007 2:27 PM

  • VLAN's over Internet/IPSec Tunnel

    Hi All !
    I have a problem.
    I have trunked 5 VLANS from various sites over sattelite and have them all ending on a hub router ,
    but my difficulty now is in getting them sent to the HQ over the internet.
    I have thought about only 2 ways of possibly being able to do this
    1. Get a leased Line :-)
    2. and the only feasable alternative ! is to get the VLANs sent per IPSec over the internet but this is my problem....
    How do I get a packet from a VLAN into an IPSec tunnel and vice versa ?
    What equipment would I need ? (more switches/routers)
    Do I need 1 IPSec tunnel for each VLAN to keep them separate from each other ?
    Can someone please help.

    You have posted this same question on the WAN Routing and Switching forum where it has gotten some responses. I suggest that we consolidate the discussion of this question on that forum.
    HTH
    Rick

  • IPSEC Tunnel vs IKE Tunnel?

    I am running ASDM 5.1 and PIX 7.1(1)
    When I look in the gui it always reports a different number for IPSEC Tunnels and IKE Tunnels, I didn't know that there was a difference? For example right now it is reporting, 45 IKE Tunnels and 53 IPSEC Tunnels. What does this mean?
    Thanks :)

    They are not the same. 45 IKE Tunnels represents how tunnels are established with peers. 53 ipsec Tunnels represents how many sessions are being encrpted amongst those peers.
    HTH

  • Cisco ASA Site to Site IPSEC VPN and NAT question

    Hi Folks,
    I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
    ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
    Just an example:
    Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
    The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
    It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
    Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
    Appreciate if someone can shed some light on it.

    Hi,
    Ok so were going with the older NAT configuration format
    To me it seems you could do the following:
    Configure the ASA1 with Static Policy NAT 
    access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
    Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
    If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
    On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
    access-list INSIDE-NONAT remark L2LVPN NONAT
    access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NONAT
    You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
    ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
    I could test this setup tomorrow at work but let me know if it works out.
    Please rate if it was helpful
    - Jouni

  • IPSEC tunnel with NAT and NetMeeting

    I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
    Thanks,

    The following doc should help...
    http://www.cisco.com/warp/public/707/ipsecnat.html

  • Static NAT with IPSec tunnel

    Hi,
    I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
    I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
    There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
    From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
    So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
    The configuration can be seen below for the NAT part;
    ! Denies vpn interesting traffic but permits all other
    ip access-list extended NAT-Traffic
    deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
    deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
    deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
    deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
    deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
    permit ip any any
    ! create route map
    route-map POLICY-NAT 10
    match ip address NAT-Traffic
    ! static nat
    ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
    Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
    Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
    Many thanks in advance
    Brian

    Hi,
    Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
    Thanks
    Brian

  • Help on establishing Ipsec tunnel btw 1941 and ASA

       We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
    My config:
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname XXXX
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    enable XXXXX
    enable password XXXXXX
    no aaa new-model
    no ipv6 cef
    ip source-route
    ip cef
    ip domain name yourdomain.com
    ip name-server XXX.XXX.XXX.XXX
    ip name-server XXX.XXX.XXX.XXX
    multilink bundle-name authenticated
    password encryption aes
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-4075439344
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4075439344
    revocation-check none
    rsakeypair TP-self-signed-4075439344
    crypto pki certificate chain TP-self-signed-4075439344
    certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
      34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
      33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
      269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
      89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
      22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
      049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
      03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
      2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
      E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
      238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
      DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
      DD9950CB A40FC91B 4BCDE0DC 1B217A
            quit
    license udi pid CISCO1941/K9 sn FTX1539816K
    license boot module c1900 technology-package securityk9
    username XXXXXXXXXXXXXX
    redundancy
    crypto isakmp policy 60
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
    crypto isakmp profile mode
       keyring default
       self-identity address
       match identity host XXX.XXX.XXX.XXX
       initiate mode aggressive
    crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
    crypto map outside 60 ipsec-isakmp
    set peer XXX.XXX.XXX.XXX
    set transform-set VPNbrasil
    set pfs group2
    match address vpnbrazil
    interface Tunnel0
    ip unnumbered GigabitEthernet0/1
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    description WAN
    ip address XXX.XXX.XXX.XXX 255.255.255.248
    ip nat outside
    no ip virtual-reassembly in
    duplex full
    speed 100
    crypto map outside
    interface GigabitEthernet0/1
    description Intercon_LAN
    ip address XXX.XXX.XXX.XXX 255.255.255.252
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map outside
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 2 interface GigabitEthernet0/1 overload
    ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
    ip access-list extended natvpnout
    permit ip host XXX.XXX.XXX.XXX any
    permit ip any any
    ip access-list extended vpnbrazil
    permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
    permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
    permit ip any any
    access-list 1 permit any
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 3 permit XXX.XXX.XXX.XXX
    access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 23 permit any log
    control-plane
    b!
    line con 0
    login local
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input all
    telnet transparent
    line vty 5
    access-class 23 in
    privilege level 15
    login
    transport input all
    telnet transparent
    line vty 6 15
    access-class 23 in
    access-class 23 out
    privilege level 15
    login local
    transport input telnet ssh
    transport output all
    Could someone please help me on what could be wrong? and What tests should I do?
    Rds,
    Luiz

    try a simple configuration w/o isakmp proflies
    have a look at this link:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  • Direct Access 2012 R2 - Problems with Force Tunneling and other questions

    I have just setup a Direct Access 2012 R2 server in my network, 2012 domain and all Windows 8 clients. 
    Internal CA environment (no external CRL) using a public issued cert for IPHTTPS tunnel, 2 interfaces for the DA server, 1 internal and 1 in the DMZ behind a NAT firewall (1 public IPv4 address) and my test clients are connecting fine to internal resources.
    1.  When I enable Force Tunneling the clients no longer are able to access the external internet.  Is there anything I need to add to make this work?
    2.  I am having trouble with our Remote Desktop Session Hosts.  I can only assume it has something to do with the DNS  as we have our AD domain performing internal DNS of the int.contoso.com domain and public DNS performing for the external
    Contoso.com domain (RDWA etc).  DA has only int.contoso.com set as a DNS Name Suffix in the Infrastructure Setup.  Should I add the external contoso.com Name Suffix in there too?
    3.  I have a Kaspersky Security Center server for centralized AV admin, can I still push out AV updates to the clients that connect with DA.  Do I add my KSC server to the Management Servers list in the Infrastructure Server Setup page on the DA
    setup.   Does that list allow those servers to access the DA clients?

    Hi,
    Let's solve problems one by one. Force tunneling. When enabled, all network trafic from DirectAccess clients goes throught IPSEC tunnels. Just configure a proxy on your DirectAccess clients (with a FQDN of course) and your clients should be able to surf
    internet again.
    RDS : Depend. Where are your RDS servers registred internal zone DNS or external DNS zone. If a DirectAccess client cannot resolve a name it does not know if it has to go throught the tunnel. At last can you ping your RDS Server?
    Remote Management : Right. Adding servers in this list allow them to use the IPSEC infrastructure tunnel (computer established tunnel) without users being logged.
    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

Maybe you are looking for